How STIX, TAXII and CyBOX Combine to Form a Threat Intelligence Ecosystem

The job of amalgamating threat intelligence is difficult. There is nonetheless much progress being made to communicate risks, make them actionable or take automated action, all while authenticating sources of the threats in a useful way. Among several ecosystems, STIX, TAXII and CyBOX have become popular vehicles and methods for communicating and storing threat intelligence. Generally speaking, amalgamation is the future of threat intelligence, but processes and protections need to be put into place first so that the systems designed to protect companies don't instead put them at risk.

Trusted Automated eXchange of Indicator Information(TAXII) describes the actions of services and messages.

Cyber Observable eXpression (CyBOX) is a schema for storing the states described in the language of STIX, and messaged or processed in some manner by TAXII. CyBOX is due to be placed into the description language of STIX shortly, as a part of the STIX 2.0 specification.

When stitched together, STIX, TAXII and CyBOX provide the basis for an automated interchange of threat data--much like how Amazon processes an order through its information delivery processes. The importance of a threat intelligence ecosystem cannot be understated.

My anecdotal experience with amalgamated threat intelligence has been positive. Every day, the websites I administrate receive threat intelligence through an app called WordFence. In turn, WordFence uses its presence on thousands of sites to aggregate threats and dubious hits that each WordFence-protected site is seeing. This data becomes a set of distributed blocks against specific IP addresses. Although this model is sophisticated in many ways, it’s also primitive. Why? There is no amalgamation of vendors like WordFence using this technique.

What if we--meaning all systems security entities--shared data about the bad guys? Can we be sure they’re bad? WordFence has a process to determine this, based on distributed behavioral intelligence. It’s my belief that we create an inner-Internet by doing so. This bifurcation has its strengths, but also its potential weaknesses.

There is possible risk: mis-identification. I could see a Max Headroom-like episode occur where, suddenly, your organization’s IP and or DNS addresses became blacklisted by a cabal of threat intelligence sources. This recently happened to Zoho, which was shut down by its hosting company--ostensibly for highly suspect traffic. Imagine going off the radar because your organization’s IP addresses have been evaluated as hostile due to fraudulent activity doxxing. DNS is fine, but an aggregation of sources believes your organization to be hostile. There would be a crater on the Internet where your turf once stood. Amalgamated threat intelligence is powerful, but procedural mechanisms need to evolve before widespread implementation becomes both cautious and effective.

Fortunately, there are protections in place to authenticate sources of data so that fraud or incorrect information can be uprooted and propagated--all while spreading info about the bad guys in a way that enables organizations to take action on the data. If a site I control is somehow hijacked, blacklisting the site also means I can’t go in and fix it. Rules need to be in place, protocols designed and matched.

The threat intelligence transfer STIX/TAXII approach is sanctioned by the U.S. Computer Emergency Readiness Team, also known as US-CERT.It’s put into practice by a growing number of products that are designed to enhance each other, although the actions taken when presented with information are still up to the administrative controls of software.

Many threat intelligence vendors are putting amalgamation models based on the STIX/TAXII specification to work. A good example is the end-point protection scheme offered by Carbon Black. Without going into strenuous detail, CarbonBlack is an endpoint wrapping ecosystem that both records activity and assuages threats. In turn, CarbonBlack admins can take Anamoli-fed amalgamated data inputs to augment the inputs received by the wrappers on its endpoint devices, potentially shortening the time when new or novel behaviors are found. The two companies are independent of each other, and the Anamoli feeds likely augment the attack surfaces covered through CarbonBlack’s own endpoint protection.

There are also formalized industrial networks that perform amalgamated information reporting, such as the Financial Services-Information Sharing and Analysis Center (FS-ISAC). This organization, protecting worldwide financial assets, holds exercises and training designed to address an industrial security need. It’s my prediction that we’ll see more industrial efforts that amalgamate threat data into what were once mutual protection societies against threats from the open Internet. Hanseatic Leagues of threat protection? It’s in our future.